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UytSPEC, EXPLORE 





(&4) Abstract Trtle: A method of controlling the processing of data 



(57} A method of controlling the processing of data, is provided 
compnsing defining security controls for a plurality of data 
hems, and applying Individualised security rules to each of 
the data Items based on a measurement of Integrity of a 
computing entity to which the data items are to be made 
available. 

For example, data Items 52.54.56,60 are transmitted 
according to specific sscurity rules tn a definitions section 
50, the rules specifying how data is transferred for each field 
according to an assessed level of trust or integrity of the 
location to which the data Is to be transferred. The 
security/usage control could be more complex to apply 
masking means such as an encryption key for masking 
and/or encrypting an item of data. 



Definitions: 

H, always contact owner. 
M, only sent to trusted ptatforma. 
50 L, require identity of rectptent only. 
0. none. 



DATA 

54^^ Surname: 
56 Forename: 
"^Postcode: 
County: 
City: 
Road: 
Gender: 



60 



Age: 



H 
L 
H 
M 
M 
H 
0 

SpedfK ojte. nxmd to nearest 5 
unless pfatform trusted 



^61 



70 



r 72 



TESTDATA-S" 



Dummy name: Smith 



Dummy age: 35 - 
Dummy address: Mytown-S^^^ 



Fig. 3 
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At least one drawing originally filed was informal and the print reproduced here Is taken from a later filed formal copy. 
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Question no. Question 

1 . AGE ? 

2 GENDER? 

3 NAME? 

4 ADDRESS ? 



25 HAVE YOU HAD OR 

DO YOU HAVE DISEASE X 



Fig.1 



22 



26 ^ Field 2 



r 



20 



24 Field 1 Security control 1 



Security control 2 



Fields Security control 3 



Fig. 2 
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Definitions: 

H, always contact owner. 
M, only sent to trusted platfonns. 
50 L. require identity of recipient only. 
0, none. 



DATA 

54->.^ Surname: H 

gg ^Forename: L 

Postcode: H 

County: M 

City: M 

Road: H 

Gender: 0 



60 



Specific rule, round to nearest 5 
unless platform trusted 



61 



TESTDAT/V-^^^ 



■71 



Dummy name: Smith ' 
Dummy age: 35 — ^ 
Dummy address: My town 
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400 



Get proforma 



410 



~i\ Populate user 
data 



7J Set user security 
options 



430 



Generate components 



440 



7- 



Connect to internet 



Fig. 4 
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600 



7. 



Apply mask 



610 



1_ 



Erase symmetric 
mask 



620 



Send data 



630 



Node accepts 
and signs data 



640 



7. 



Insurer contacts node 



Node examines 
statements of work undertaken, 
match found ? 



Yes 



Send data 



670 



Receive quote 



680 



Encrypt data, 
append 10 and 
publish 



Fig. 6.. 
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700 



1. 



Send data 



710 



Node accepts data 



720 



7. 



Insurer contacts node 



730 



7. 



Node examines 
statements matching 
statement 



740 



7. 



Receive executable 



750 



7. 



Do processing 
at node 



760 



7_ Append data, encrypt, 
add ID and send 



Fig. 7 



, 2392262 

A METHOD OF COYrROI.I,TNr. T p; PROrRssiNfl 9^ n^ jf, 

The present invention relates to a method of controlling the processing of data, such as 

5 private data. In particular the method relates to controlling access to the infonnation 
contained within die private data. 

fa order to ensure that the processes handling the processing or transfer of data do not 
become subverted or conupted it is advantageous to be able to ensure diat a computing 
10 platfonn is trustworthy. Such computing programs are known as trusted computing 
platforms. 

A trusted conq)uting platform may be, for exataple, of die type desoibed in 
WOOO/48063. llras the confuting platform nuy contain several trusted C(Hi5)arinicaits 

15 which may operate at different levels of trust. TTie trusted compartments isolate the 
processes running within die conqwrtment firom processes in other conqiartmaits. 
They also control access of the processes or qiplications running therein to platform 
resources. Trusted compartments have additional properties in that tiiey are able to 
record and provide proof of die execution of a process and also provide privacy controls 

20 for checking that flie data is bemg used only for permitted purposes and/or is not being 
interrogated by other processes. 

The "walls" of conqjartments may be defined by dedicated hardware or by being 
defined in software. 

25 

Such trusted computing platform (TCP) architectures are based around die provision of 
a trusted component which is tamper resistant or tampar evident and whose internal 
processes cannot be subverted. A TCP preferably includes a hardware trusted 
component which allows an integrity metric (ie. a summary of an mtegrity 
30 measurement) of the platform to be calculated and made available for interrogation. It 
is fliis device which underpins die integrity of a TCP. The trusted component can help 
audit die build of die platfonn's operating system and other applications such fliat a user 
or operator can challenge flie platform to verify Uiat it is operating correctly. 



Co-pcBding qjpKcations of the qjpKcant, such as European Patent ^^licaticm No. 
02255245,9 entiUed 'Trivacy of Data on a Computer Platfbnn" filed on 26 July 2002, 
disclose that it is possible to provide an audit process that can verify that a process can 
5 be run on a trusted computing platfomi, that access by the operator or owner of the 
tmsted computing plalfoim to Ae processes is inhibited, and that access to Ae audit 
information is restricted. 

Iq a preferred inq)lementalion the audit process exists wifliin a trusted con^wncnt 
10 thereby ensuring that its operation cannot be subverted. The results of the audit are 
gmerally stored in protected or encrypted form in memory within a trusted con^mting 
platfonn. The audit data is itself partitioned into sets such that investigation of audit 
data in one set does not disclose the data in other ones of the audit sets. The trusted 
consent may make an assessment of one or more computing platforms which 
15 request the audit data. K the platform is on an unknown or untrustedtjpe, and/or has 
unqjproved means for viewing the audit data, then the data may be withheli 

It is advantageous to propagate private information through a computer platform or 
system or network, to take advantage of resources and services. Trusted computing 
20 platforms, of the type described previously, for exan9>le, may provide a safe processing 
environment for private infOTmation provided that the owner of the private data retains 
control over the private information. 

According to a first aspect of the presmt invention there is provided a method of 
25 controlling the processing of data, wherein the data comprises a plurality of usage rules 
for a plurality of data items, and q)plying individualised usage rules to each of the data 
items based on a measurement of integrity of a conq)uting entity to which the data items 
are to be made available 

30 It is thus possible to provide a method of controlUng access to data in which each data 
item has individual usage rules which may comprise individual mask data. 
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The usage rules may define the use for which the data can be used and/or the security to 
be applied to the data items. 

The data items may be fields within a block of data. Thus a data item might be an 
5 individual's age, another might be their surname and so on. Pieferably the data is 
private. 

Preferably each data item can be made confidential by masking it. This may, fi)r 
example be achieved by encrypting the data item with its own associated encryption key 

10 preferably. Prtfbably the encryption keys for di£Fcrat data ite^ Thus, 
in esseace, each field is preferably individually maskable by the use of encryption or 
oiba forms of masking. A list of keys and associated data items and/or other data can 
be considered as being mask data. When masking is done by encryption means, the 
mask data includes both masking (encryption) keys and also unmajglfi'Tig (decryption) 

1 5 keys if the decryp ti on key is dififercnt to the encryption key. 

Preferably the computing entity or platform that generated tiie mask data, such as 
encryption keys, retains the mask data or the ability to regenerate the mask data for as 
long as it has an interest in the data. 

20 

A separate copy of die usage rules, which may iiKlude mask data, is advsitageously 
held with each copy or instantiation of the private data. If a data item or field within the 
data is masked by the use of encryption, the corresponding unmasking entry in the 
corresponding copy of the mask data is erased. If data is masked using symm^c 

25 encryption, the corresponding masking entry in the copy of flie mask data is also erased, 
because in such cases the maskmg entry inherently provides unmasking information. 
The computing entity that wishes access to the masked data can be required to contact 
the entity that generated the mask to obtain the means to unmask the data. Alternatively 
the computing entity that generated the mask may supply means to the entity that 

30 wishes to access the data to enable it to regenerate the mask and to thereby acquire a 
local copy of the unmasked data. 
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IndiWAial data itans may have individ^ 

user or owner of flie data may be h^y to allow information concening the owner's 
gender to be made available as that data appUes to rou^y 50% of any population and 
hence does not aUow the individual to be identified. However some owners may be 
voy conscious that they do not wish to give out full address information or post code 
(zip code) information as it enables them to be identified, either individually or as a 
member of a small group of people. Anownerof data can therefore individualise the 
security rules for each data item. 

The data nmy be required by a plurality of computing entities. The instantiation of the 
data at any entity dqwnds on the cqiabilities of that entity but preferably mchides all 
the data. Mid even more preferably masking data, maskod data and \mmtL<:V^ rfptp a 
computing aility may be a compulff platform or it may be a service, process or 
qyplication running on the computer platform. 

Tim different plications wWch constitute different entities on the same conqniting 
platform may be presented with differing views (instantiations) of the dat& 

A computing entity, eithor hardware or software, is oflai called a "node" and this tenn 
will appear hereinafter. 

Preferably the confuting entity is or is executed on a trusted computing platform. 

Prefisrably wiiere data is transferred between computing platforms it is transferred in a 
secure manner, for example in confidential form with proof of origin, authenticity and 
integrity, and any such security measures taken for the transport of data arc preferably 
in addition to any security measures acting on the data items by virtue of security 
controls in their usage rules. 

Thus, it may be presumed that the information is made available only to the intended 
rcqpimt Even if the data is in encrypted form when being passed by the transport 
processes between nodes, the data once it arrives at a node can be considered as being 



5 
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mplam-t«tfonn.excq,t for those datafidds^thesuppHerofft^ 
to mask by virtue of the security rules appKed to particular data items. 

PrefenAIyacomputing entity or node caartb-ablyandii^v^ 
selected data items currently under its control. 



me data advantageously is signed by the receiving entity after it is tnmsfened between 
computing entities. The signature maybe calculated bynrference to the non-masked 
data items within the dau. The key used to sign the data is a secret kept by the 
10 computingentilysigningthedau. lUeconesponding public key is th«eafter included 
withmthedata. Signatures and/or the corresponding pubHc key may be used in an 
traU to verifythatanodehassentdataortopreventfidse accusation of send^ 

Preferably the data is associated with constraints which define ami/or limit the pmpose 

.5 fi^'Wchthcdatacanbeused.when^itmaybepropagated.atimefiameinwhichd^^ 
data may be used or propagated or manifested, and the parameters that computing 

platforms must satisfy. 

Advantag«,usly fte data comprises both real data, such as real private data, and also 
0 t^t*!^ that has a structure similar or congruous to that of the real data ^ 
imuxmous. Thusrele^^ofthetertdataisunhkelytoevokenndeairablecom^^ 
but can be used to e«mune die perfomuace and/or sec^ity or integrity of a node to 
which the real data may be released depending on the results obtained using the test 
data. 

ftefembly hostage material may be delivered to the owner of the data or the node 
issuing the data. He purpose of the hostage material is to provide means of 
compensation or redress to the owner of the data if it tnmspires that the data has been 
misused or that constraints imposed by the owner ofthedatahavenot been ob^^ 

Atnisted third partymay need to becontactedinorder to activate the hostage 
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Advantageously a node that finds itself in possession of data (ie. private data, wbose 
history is unknown, dubious, or in some other way undesirable for example because the 
history or content of the data do not meet requirements, for example, because a new 
"security poKc/* has changed predetermined requirmcnls) formats the data, preferably 
using a public encryption key ^ch is transported as part of Ae data, and places the 
data in a repository. The rqwaitory m^ be open to inspection by certification and 
policing authorities. Advantageously the rq>ository contains encrypted data, witti the 
means associated withthedatatoeiablethe owner of the data to identify it 

The means ambling the owner to identify the data may be an identifier automatically or 
manually assoc i ated with the data by the owner of the data. 

It is possible that data processing may start at a first node and later on involve another 
node that already contains an instantiation or manifisstation of the same private data. 
TTiis may be because use of the private data requires access to othw (possibly secret) 
data that does i»t exist at the first node. Alternatively the other node may contain an 
unmasked version of the private data and may also advantageously contain other data 
that can be used to unambiguously identify the entity (which is likely to be the owner of 
the data) that determined the constraints that are associated with and lOTfy to 

The nodes may be normal conqniting platforms, ie. PC's and mainfiames. Prcfbably 
the nodes have the architecture and functionality of trusted computing platforms and 
most preferably are arranged such that access to data and the results of processing on 
the data is set solely by constraints associated with the data Thus the computing 
platform owner or administrator cannot observe the data or the results of the processing 
if such obsoi^on is not permitted by the constraints associated with the data. 

Preferably the data is manipulated by nodes comprising a trusted computing platform 
running a conq)artmentaIised operating system, with some of the compartments bemg 
secure and one of the conq>artments running an audit portal as described in the Hewlett 
Packard patent qjplication titled "Audit Privacy" and whose techniques and teachings 
are incorporated herein by reference. 
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TTius the audit portal and an associated audit viewer lunning in another compartment 
stores audit infonnation using encryption, and stores the decryption keys b a tnisted 
computing module protected storage function. TTie audit viewer provides the only 
method of viewing the audit data. 

He tnisted computing module makes integrity measmements of the operating system 

and wiU only release the audit keys to view the aiuJit data if the operating system is in 
the correct state. 
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IS 



20 



2S 



■nie administrator can run any application he likes or change the operating system 
(because he is the administrator) but if he alters any setting that affects the mandatory 
audit and/or viewing properties, thus seeking to give himself rights to view the data, the 
trusted computing module measures the change and wiU not release the keys that 
provide access to data. 

Preferably the data is isiabled for use by the computing entity via cryptographic keys. 
Prefiaably sudi ciyptogr^hic keys or at least one kqrprovidmg access to those keys or 
other means of enabling access to the data (such as logical infi«mation or addressing 
infomiation) are stored within tiie trusted computing module and can be erased via 
instructions originating from the private data or via signed signals received by tiie 
trusted confuting module. 

Preferably the data can contain audit instructions. The audit instruction may contain or 
conpisc contact infonnation . that enables, or indeed requires, messages to be sent to 
previous nodes that had propagated the data. The data may prescribe the ftequency 
with which previous nodes must be contacted. It may also prescribe the number of 
contacts, failed contacts or propagations that the data may undergo before any 
instantiation of it must be erased. 



Advantageously prior to copying data to another computing aitity a check is made on a 
propagation control rule or word which controls whether further copies of the data are 
pemritted. The rule may contain a copy count that is modified each time that data is 
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propagated. If further copies are pennilted, tbe computiiig entity creates a temponny 
copy of its own instantiation of flie data and signs aO die unmasked fields of tbe data if 
the cunent signature is unsuitable or no such signature exists, for example if all of the 
data or additional data was created on this computing entity. ITie computing entity then 
interrogates the destination entity. Such mtenogatiqns may for example be in 
accordance with the "TCPA design philosophies and concepts" venions 1 and 1.1 
published by the trusted computing platform alliance. The cumnt URL of which is 
www.lnistedpc.oig or www.trastedcomputing.oig. Refbence should also be made to 
•TYusted computing platforms: TCPA technology in context", Balachef? Chen, 
Plaquin. Pearson & Proudler (Ed: Pearson), published by Prentice Hall, ISBN 0-13- 
009220-7. 



Depmdmg on the privacy mechanism and privacy poUdes supported by the destination 
entity, the computing entity preparing to send the data masks none or some or all of the 
data items in its temporary copy in accoidance with the individualised security rales 
relating to those items and/or global rules set by the owner of the data. A recipient 
therefore receives only the unmasked data that the rules pennit him to receive. 

The entity preparing to send the data may then, when appropriate, erase the 
contsponding copy of the unmasking data (eg. a symmetric key or private a^^^ 
koy) in the temporaiy copy, and may enue the conespoiriing copy of the masking d^ 
(eg. a symmetric key) in the tenqxuaiy copy. The temporary copy of the data is then 
sent to the receiving computing entity where it becomes that entity's instantiation of the 
data. 

Upon receiving the copy of data, the receiving entity generates any new secrets that will 
accompany the data in future, such as a new signing key. It then increments the copy 
control word (this may have been done when preparing the copy for transmittal) and 
signs the data with a new or existing private signing key and appends the new pubKc 
signing key to the data. 
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The recdving entity may further process the received data, and fiillyor partpn)ccsscd 
results as a result of executing processing on the data may also accompany fiie data in 
future. 

5 Where the data has no return information, thereby preventing its owner fiom being 
traced via the return infonnation, the data may need to be published so that its owner 
can pick it up. The published data may include the results of processes, such as 
tendering, perfonned on the data. 

10 Preferably such publication is pcrfomied by encrypting the data using a public key 
contained within the data. This may ensure that the data can now only be viewed by its 
ri^tfiil owno*. An identifier defined by the owner is then appraded to the data. The 
identifier may be a random sequence, say 20 bytes or so long, which the owner's data 
processor will search for. Alternatively, an identifier is appended to the data and then 
15 the data is encrypted Thus an owner of data may choose to perform speculative 
decryption to search for flie identifier. 

The data is then published in one or more predefined depositories where the owner can 
search for it Data may be published more than once, and may be encrypted using 
different public depository keys associated with the data. 

Advantageously a computing platfomi may test plications to detennine their 
suitability to process the data. Such tests may be done fi^equently. Tests may involve 
the use of test values in the data or associated with the data. The results of such tests 
may be published, for exan^le, by one of the methods described previously, such as 
encrypting the data using a public key contained within the data, pending an identifier 
to the data, and dqx>8iting the data within a depository. 

According to a second aspect of the present invention, there is provided a method of 
controlling the processing of data, wherem the data comprises a plurality of rules 
associated with a plurality of data items, said rules acting to define the use of the data or 
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SKurily to be obscrval whiffl proccssiijg the data, and 
pafonned in accordance with mask means provided in association with the lules. 
According to a third aspect of the inesent invention there is provided a processing 
system for processing private data, wherein the private data comprises a phirality of 

data fidds and each field is assodated with customisation data that controls the use and 
propagation of the data, and wherein the processing system is subservient to the 
constraints defemd by ^ customisation <fnt a, 

According to a fourth aspect of the present invention there is provided a computing 
device aminged to receive data and security rules associated with the data, and in which 
foiwaiding of the data is perfonned in accordance with die masking means supplied 
with tbe security rules instead of with masking means belonging to the computing 
device. 



IS Embodiments of the present invention will finlher be described, by way of example, 
wifli reference to the accompanying figures, in vUdch 

Figure 1 ilhistrates the type of questions that may occur when an individual is seeking 
insurance; 

20 

Figure 2 schetnaticaUy illustrates a simple data stnictme in accotdcnce with an 
embodiment of die present invention; 

Figure 3 illustrates a simple embodiment of security rules within a data set for use with 
25 the present invention; 

Figure 4 is a flow chart ilhistrating the steps pcrfonned in the creation of a data set; 

Figure S illustrates the architecture of a trusted pbtfonn; 

30 

Figure 6 illustrates operation with regard to an untnisted node: and 
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Figure 7 illustrates operation with regard to a trusted node. 

It is now possible to conduct many business transactions electronically. Such business 
transactions, or the process of tendering for such transactions, may involve the ttansfw 
5 of sensitive or private data fiom party to party. Ttensfcr of data between unidoitified 
parties can also occur without the knowledge of the owner of the data. This is best 
illustrated with a simple example. 

Supposing that an individual wishes to obtain health insurance. Health insurance 
10 companies seek a feirly detailed inspection of an individual's medical history before 
issuing a quote, Furflicrmorie the quotes issued may vary significantly fix>m insurer to 
msurcr. 

It is wen known that insurance hrokos make their business by compmng flie quotes of 
15 many insurance conq>anies and flim oflfcring 4eir client the best or a list of Ae best 
policies. 

Such services are now available over the Internet The individual may log on to a 
server of a broker and may be required to fill out a form detailing personal information 
20 to enable a quote to be derived. Figure 1 shows a table where the questions asked and 
our faypodtetical individual's responses are summarised. 

The questions, for example questions 3 and 4 relating to name and address, seek 
information that is suflBcicnt to uniquely identify the individual. Other questions probe 

25 the medical history of the individual and may relate to data that the individual would 
not want known to others. Thus, for example, question 25 asks a specific question 
about treatment of a spedfic disease X. Disease X may be a disease that carries a social 
stigma or a real and continuing risk to the health of the individual or ofliers close to that 
person. In order to get valid insurance an individual has to disclose the existence of 

30 disease X. However, they may be reluctant to do this since the form also contains 
information to uniquely identify &em. 
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Following completion of the fonn, ihe brokei's computer then contacts other computes 
owned or run by insurers and sends the results of the questionnaire to them. 
Thus the individual has lost control over his perronal information and has no idea 
where it has been sent, or what processing is being perfomied on that information. 

5 

As will be e^qplained below^ die use of con^utational systems constituting 
embodiments of the present mvention aUow a user to engage in electronic business 
transactions and tendering processes, but also enable him or her to retain owner^ and 
control of private information. 

10 

It is important that an owner of private data can be assured that their data will be stored 
in a trusted environment and that the data will be handled in accordance with known 
and relid)le rules without die risk of any process subverting or disobeying those rules. 

15 It is beneficial at this point to clarify what is meant by private data, and to compare and 
contrast it with odier data types, such as secret data and public data. Public data is data 
vfbich is in an open form and is in the public domain. Thus anyone can have access to 
the data, although of course there may be restricdons about what they can legally do 
with ttiat data. Secret data is data that is not mtcnded to be disclosed. Private data is 

20 scDsidve data which is not public data but which may need to be disclosed under certain 
conditions, such as conditions of confidentiality, to a duid party. 

A user needs to define dieir data and to indicate die security or confidentiality control 
diat is to be q>plied to diat data. Figure 2 schematically illustrates an example of how 

25 user data can be organised in accordance widi an embodiment of the present invention. 
The data, which is provided as a block 20, is subdivided into a series of divisions. The 
divisions may relate to specific information topics or may relate to specific items of 
infonnation. In diis later option each division is effectively a field widiin die data block 
20. For die purposes of illustration only, Figure 2 shows only die first diree fields 22, 

30 24 and 26 of the data block 20, ahhough it will be appreciated diat die block can 
contain much more information. Each field has its own security control. Thus field 1 is 
associated widi a usage control 1 or a security control 1, field 2 is associated widi 
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security/usage control 2 and so on. Tbc security/usage controls may be held integnUly 
with the data, or in a different file or location provided the association can be 

maintained. 

5 TTie security/usage control can be a simple indication of security level which is applied 
10 the field, or it may be more complex and include masldng means (such as an 
enoyption key) to be used for masldng^cnciypting that particular item of data, and/or it 
may inchide a definition of rules or tests that are to be applied in oider to define the 
circumstances under which the item of data may be released or propagated. 



Figure 3 schematically ilhistrates a vay simple security scheme where mdividual 
security levels are set for individual fields. Thus a user may for example set a High, H. 
security value in relation to his name such that his name is never passed Id a third part 
without him having been contacted to expficitly amhoiise this. The individual may 
however allow data about address information, for example his country of residence, to 
be given out to third parties who themselves satisfy the criterion of being trusted. 
Mechanisms for dctemiimng whether a party is trusted will be described kter oa The 

individual may be feirlyrebxed about givii« details ofhis forename or gender and may 
chose to qiply onfy a low level of security to this data. 

Specific security rules may be set in a definitions section 50 rehdng to the fields 52. 54, 
56 of data. However, some items of data, such as age in this example, item 60, may 
have a specific rule associated with them, thus rule 61 specifies that the age is rounded 
to the neanstSyeais unless the computing entity requesting the data isatmstpbtf^ 

The data also includes test data 70 that maybe used to intorogate the performance of a 
node. Ihus die test data may include a dmmny name 71, dummy age 72 and dummy 
address 73 as part of the entire set of test data 70. 

hi general each set of private data wiU comprise information relating to the person or 
entity as well as other components relevant to ensuring integrity of the data. Thus, in 
general, the data may contain: 
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Personal infonnadon, such as; 

• Name 

* Address 



• Income 

• list of possessions 

• Cuneat contractual commitments ( subscrqrtions, mortgage, loans etc.) 

• Desires and Iike8( holid^, music, type of car) 
10 * ^^lications 

• Files 

• Medical history 

• Location 



15 Applications, which may contain one or more o£ 

• A dcsaiptionofthe confuting environment necessary to cxw^^^ 

• AlistofthepmposesforwhichthejCTlicationmaybeused 

• A desoiptionofthe fields to be produced by the processing 

• Teststhalmaybepcrfoimedonthefieldstobcproducedbytheprocess 

• Hostage material and a description ofthe procedure for making the hM 
accessible. 

• TeststobeappHedtoathirdpartycoinputerin^ 
within the 3rd party conqiuter. 



25 The other components that will typically form part of the private data may mchide: 

• Test vahies that are congruent to the basic set ofprivate data, that is they m 
style and data type the real data within the private data. 

• Vahxes such as TCPA's PGR vahies (see the TCPA specification - rcfened 
30 hereinbefore) that indicate the policy system (the pktform/software architecture) that is 

used to enforce the privacy of the private data. 
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• A private data ID which is typically a numeric value or character sting which is 
large enough to reduce the diance of random collision with another ID in a system of 
interest to below an acceptable level of [Htibability. 

• Public keys for encryption of data. Such keys may include a public depository key 
for use when encrypting data prior to deposition in a repository, and keys used to verify 
signatures on data. 

• Constraint data. The constraint data, which is part of the security control data, may 
include a list of purposes for v/Uck the data may be used, a description of the fields to 
be imiucod by processing of the data, and tests to be run on the fields resulting fiom 
the processing of the data. 

• A stage identifier, which is a count which is modified each time to indicate how 
many times the data has been used, that is processed or propagated, together with an 
qjpcr limit for preventing further use of the data once a preset number of uses has 
occurred. 

• Contact information identifying the addresses of nodes that have used the data, i.e. 
processed or propagated the data« 

• Symmetric mask data such as a random string or a synotmetric key. 

• Asymmetric mask data, such as an aqmmetric public key and private key pair. 

• Logical masking data, this is an instruction, for example a flag, to instruct the 
recipient not to read the data. 

• Idcntificalion of the trust domain within the data may be copied and/or 
identification of domains firom which the data is excluded. 

Suppose that an individual creates a desa^tion about himself on his PDA. That 
description may have been produced in response to a proforma (step 400, Figure 4) 
seeking the information necessary to fill in an application for insurance. Thus Ae form 
may include d^ails such as name, age, occupation, address, previous insurance history, 
information about his car, motoring history and relevant medical conditions. The user 
populates the form with data at step 410 and then selects his security options at step 
420. The PDA has access to a signature key fliat is used by the individual to indicate 
his approval of the data, by signing it with the signature key. The key may be held 
within a user's smart card or similar or may reside within the PDA. 
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The PDA appends to the data altered by the user other sqyportmg private infonnation 
at step 430, such as innocuous test values that arc oongnicnt (i.e of conqjatable type) to 
the personal infonnation, TCPA-PCR values that indicate the range of platforms that 
may host the private data, a randomly chosen data ID value, a depository key, a public 
5 key used to verify a signature over all the private data, randomly derived mask data 
sufiBcient to mask all the fields of the personal description, a statement indicating the 
imaded function of the data, thatisthatitisfaruseinAe gmeration of a quote for 
vehicle insurance, a statement giving constraints of how &r ttie data may be propagated, 
thus propagation may be limited to widiin the United Kingdom only; and a contact 
10 address of the PDA. 

Following generation of sudi information the individual connects his PDA to the 
IntOTct (step 440) and the PDA contacts a search engine, or alternatively uploads the 
data to a trusted host that contacts a search engine, to locate nodes that are willing (and 
able) to host private data. We will siqrpose that two nodes are located, one bdng an 
ordinaiy untrusted conqmter platform whereas the second node is a trusted computing 
platform that provides controlled and audited levels of privacy. Purely for illustrative 
purposes, the ordinary untrusted computer platform scenario uses symmetric mask data. 
(The trusted computing platforai scenario does not do any masking,) The ordinaiy 
untrusted computer platform does not permit execution of external applications. In any 
case, it provides no means for flie source of such q^Ucations to verify that the platfoim 
is a safe place to execute such applications, so it is by no means certain that the source 
of such plications would want to execute applications on the ordinaiy untrusted 
computer platform. In contrast, in this exanq)le, the trusted computing platform does 
permit execution of external plications. 

McntifiTng a trusted platfhnr^ 

TTie ability to trust a platform undetpins the implementation of the present invention. 
30 Security systems have traditionally relied upon placing security features at the 
plication level. Whilst this is an enhancemmt it does not guarantee that the operating 
system or BIOS has not been tampered with. 
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WOOO/48063 discloses a trusted component bnih into a conyuter plalfonn. TTie 
trusted conqwnent conqmses both built m 

The tnisted computing platfonn. for example as iUustrated in Figure 5. includes an 

5 ""-P-^ device such as a VDU 502. or a printer 504; input devices such as a kQ^^ 
506. a pointer which typically is a mouse 508 and a microphone 510. These intofecc 
with the computer 520 which has a data processor 522 which interacts over a bus 524 
with amass storage device 526, semiconductor readable and writable memory 528. and 
8readonlyBIOS530. In fict, the BIOS 530 maybe implemented ma rewritable noa- 
10 vohtile technology such as EEPROM so that it can be rewritten with care. n» 
computer ah» includes interface cards, such as video 532 and sound cards for 
interfacing with the peripheral devices as well as communications paths, for example a 
univosal serial bus 536. 



15 A trusted component 550 is also inchided within the computer. The tnisted component 
550 may itself have a direct mlafice 552 to user input/output devices. ITms. for 
example the keyboard 504. mouse 508 and monitor 502 may be comjected to a suitable 

interlace 52 such (hat the user can be assured that data ou^ on the mom^^ 
received fiom the keyboard 504 cannot be interfered with. 
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The trusted component 550 is a tamper resistant hardware component which is 
manuftctured in accordance with strict rules and whole operation is assured because is 
internal computational processes cannot be subverted. 

25 The trusted component 550 may however be influenced by entities having appropriate 
authentication and authorisation mechanisms. 

Topically the trusted component 550 will monitor the files and/or data contained in the 
BIOS, operating system and applications run on the computer. The monitoring is 
30 <bmffliiic and allows measurements of the computing enviromnent to be made. Ttcsc 
measurements are stored in a reserved memory. The reserved memory may exist within 
the trusted component 550 and aho in the semiconductor memory 528 and masfr- 
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storage memmy 526. TTie resenred memory may store the remits of the measuim^^ 
of the files and applications miming within the system. Digests of the measurements 
are known as integrity metrics and are stored in a protected form m the reserved 

mcmoiy of the trusted conqwnait 550. 

B should be noted that any target platform could have a number of diiferait states of 
tnist. Thus, where a platform hosts a plundity of different processes some may be 
tnistworthy for a given purpose, others not, and some may satisfy some tests of a 
tnistworthy site and have fiiled othere. 



During the test to identify the nodes, the target nodes are interrogated, for example 
uang an integrity challenge of the type described in the TCPA spedficat^^^ 
responses together with supporting information about the host platform's security 
policies and the user's poUcies are evahiated to determine whether a target will be asked 
15 or allowed to tender for the business. 



Having identified the untrusted first node, the PDA creates, or the trusted service at the 
btemet host creates, a first copy and masks out those items which the user has defined 
as being sensitive at Step 600 of Kgure 6. Thus the name, address and PDA contact 

20 address fields (fields that have H or M security in Figure 3) may be masked out such 
that it is not possible to identify the owner of the data. Any symmetric mask means are 
then erased fiom the data at step 610 to prevent that mask being available to the 
recipient to umnask masked fields. The PDA or secure Internet service then sends the 
data to the first node at Step 620 which accepts the data and sigmi it with its own 

25 signature key at step 630. Tbt signature key is newly generated for the data and hence 
is unique (or at least excq)tiona]ly rare). 

An electronic service from an insurance company trawling for work contacts the node 
atstep640andsendsoneormare statements indicating the types of work for which it 
30 will give quotes. TTie node examines the statements at step 650 and if a matching 
statement is found, for example "MOTOR VEfflCUB INSURANCE" then control is 
passed to step 660 where the data is sent to the insurer together with an identifier such 
that the result returned fiom the insurer can be matched to the data. After receiving the 
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returned quote at step 670, the firet node appends the quote to the data and encrypts the 
data with the public key of a pubUc-private key pair, the public key being in the data 
provided by the user. The node then appends the ID (unenciypted) to the encrypted 
data and publishes on its site at step 680. 

5 

The individual seeking the quote then occasionally visits the web site of the first node, 
making sure to capture (ie. download or view) sufficient objects to prevent a malicious 
observer deducing an interest in any given pubUc object When an individual finds a 
published object that matches his or one of his ID'S, the individual then attempts to 
10 deciypt the object and unmask any masked fields. If the decryption succeeds and/or the 
decrypted object wmtains unmasked data that matches that of the individual and/or 
contains a signature that matches the individual's signature for an of his private data 
dien the individual can be assured that the object relates to him. 

15 If the individual wishes to accept the insurance quote, the individual contacts the 
relevant insurance company. In order to prove to the company that he has received a 
quote and to aUow them to process the request fiilly. he provides the original copy of 
his private data and the decrypted copy of the published version of his private data. 
This provides sufficient data for the insurance conpmy to verify that one of its agents 
20 proposed the quotation and that the first copy provided to it was derived fiom the 
original copy of the private data. The individual and the insurance company can then 
exchange a contract of insurance. 

Altemativcfy, it may be accq»table diat the individual simply sends die requested 
25 payment via an anonymity service to the insurance company and receives a receipt 
thereof to confirm that insurance has been issued. The individual only needs to contact 
the insurance company w*en he has to make a claim against his insurance. The 
individual sends die original copy of his private data and the deoypted copy of the 
published data in order to aUow the insurer to verify that it has underwritten the 
30 individnal. 
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In the case of dealing with a tnatod socoiMl node^ ^ 

copy of the private data and sends the data to the second node at stq) 700 of Figure 7. 

The ttBSted second node accepts die copy of the private data, generates a signature key 
and signs die data at step 710. 

5 

Now, when an insurer contacts die second node at 8tq> 720 the node exammes die 
statements in the de8crq>tDr of services sent by the insunnce company and if the 
company can offer a quote for motor insurance, die second node aUows die insurance 
company to execute its quote service on the private data, by seaiding an executable to 
10 the second node (step 740). After the second node has calculated the result (step 750) 
the second node copies the private data, appends the quote details, encrypts die data 
wifli die user's pubUc key, appends die ID and sends die result to die PDA contact 
address detailed m die private data. These tasks ate performed at step 760. 

15 The individual receives die oliject and attempts to decrypt it. If die decryption is 
successful dien die individual can be feirly certain diat the object is intended for him. 
However, diis can be confirmed by checking if die decrypted document contams 
personal data tiiat matches die individual's private data and/or the signature on die 
unmasked data matdies the individual's signature. 

20 

If die individual wishes to accept die quote he can contact die insurer as described 
above. 

In variations on die service die trusted node may not initially release die private data to 
25 die service providers, histead die trusted second node may be instnicted by die security 
conditions imposed by die owner of die data only to release die test data m die first 
instance. The service provider, ie. die insurance underwriter, acts on die test data as if 
it were die real data because they cannot tell diat only test data has submitted. The 
results of die tests are examined by die node using die rules in die usage information. If 
30 VP«'l«»"te,dK! node pomils die executable to be ^Ued to die real data. Alte^ 
die resuhs of die test data are returned to die user using die same data transport and 
handling tedmiques are described above. The individual can examine die results 
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returned from the opeiation of the test data, and if they approve the submission of the 
real data to the sendee provider, the individual republishes his private data with 
pennission to execute the seivice on the private data. 

5 A platfonn may promiscuously test applications to detcmiine their suitability to process 
private data and may use result rales included in the usage rales, or submit results to the 
user for explicit approval (as previously described). If an appUcation is suitable, the 
results may be appended to the private data. Resultant private data may be 
communicated to the entity responsible for the application. Resultant private data may 

I be connnunicaled to the platfonn that provided the private data. A copy or copies of 
resultant private data may be published (as desoibed above). 

A platform may promiscuously test applications in private data to determine their 
suitability to process other data, and may use result rules included in the usage rules, or 
submit results to the user for expUcit approval (as previously described). If private data 
is suitable, the results may be appended to the private data. Resultant private data may 
be communicated to the entity responsible for the appKcalion. Resultant private data 
may be communicated to the platfonn that provided the private data. A copy or copies 
of resultant private data m^ be published (as described above). 

Using private data to deteimine whether results are acceptable may require copying of 
private data to ofliernodes. This is the case when a particular usage of private data 
does not contain result criUaia, or the result criteria are masked. 

Speculative appUcations can be of use when the private data relates to, for example, an 
individual's finances and the trusted node holds an individual's bank account 
information but does not belong to the bank and instead executes the bank's 
appUcations that manage the individual's account. A speculative application that might 
be vahiable to the user might be a third party service that verifies that the bank is 
managing the account conectly, for example paying the correct amount of interest when 
the account is in credit or deducting the cornsct changes when the account is in debt 
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b a further exaiqile of die present inventioD, 6)S second trusted node of the above 
example may detect that an instruction is being issued to it by its owner that wiU initiate 
a change in the configuration of the node. An extreme example may be that the node is 
being instructed to give data out to any third party that requests it. 

Given that the node is a trusted node, it must first check through aU the private data that 
it is hosting and check whether the data could still be held on that node, in accordance 
with the security provisions specified by the owner of the data once the node has 
changed to its new configuration. For data that cannot continue to be held, the node 
deletes the controlling key or keys in its trusted module 550 that provides access to the 
data fiom its trusted module 550. ITius, even if the data on the node is restored fiom 
back up systems, the private data does not become accessible because the decryption 
means was held within flie TPM and has been destroyed. 

15 Only when all private data that cannot contmue to exist in the new configuration has 
been rendered unusable can the node then inq)lanent its diange of configuration. 

hi another example, it is highly likely that an individual wiU hold personal files on his 
personal conqiuter. The personal files may contain private inftmnation. TTieremay 

20 also be innocuous test files that have dummy information which is broadly consistent to 
or equivalent with the real private information. Thus any test field is of the same type 
as an equivalent field m the real data, such that both can be manipniat^ in the same 
way. Hie data m^ also include means for intenogatirig Oe integrity of a target 
platform, such as the trusted computing platform alUance's (platform configuration 

25 register, PGR) values that indicate or define the properties of the platforms that may 
host the private data. TTie data may also inchde a randomly generated ID, for example 
of 20 bytes or so, which is thwefore likely to be unique during the time fiame for vrtacb 
the data is required. The computer wiU also store a dqwsitary key. a public key used to 
verify the signature over aU signed private data and sufficient keys (preferably randomly 

30 chosen) to encrypt all the pasonal files. Hus computer also may contain one or more 
statements concerning the intended or mandatory use of the private data. Thus one 
statement may define that the data is for use by tcxtural editors or spreadsheet 
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calculatois. A ftoher atatemcnt n»y indicate that the dato 
within the UK. The restriction on duplication may be modified, for example by 
specifying that the duplication is limited to web sites manifested in airport lounges 
during a predetennined time period. 

The individual may also have a PDA that contains supporting private information, 
primarily the masking information, but not the personal files. 

In order to prepare fi,r access to his data, the user instructs the computer to cre^ 
temporary copy ofthe private data it holds, lie computer masks all the personal real 
and test data files by asymmetrically (say) emaypting with the relevant mask 
infomiation (timt is security control information) supplied fiom the PDA. TTie 
computer sends the temporary copy, optiomdly via an anonymity service, to a service 
that acts as a gateway to the airport computers in airport lounges. 

Tie gateway distnlutes the private data to the airport computers in acc^ 
distribution parameters contained within flie statements of use. 

When visiting an airport lounge, the individual comiects his PDA to ti>e complementary 

computersystemprovidedintheairportlounge. Tie PDA then searches for the private 
data briongittg to the individiial. 

Having found the individual's data, the PDA issues a chaUenge to the airport computer 
todetemiineifithasatnistedcomputerarchitecture. Having verified that this is so the 
PDA infonns the user qipropiiately. 

When an individual wishes to use one of his files, the PDA contacts tiie airport 
con^uter and asks it to demonstrate that it hosts applications capable of generating the 
desired results fiom the private data, to order to confirm this. fl» PDA suppUes the 
airport computer with umnaaking data that will umnask the test data; the airport 

computer may run the appKcation on the test data in the private data, producing an audi^ 
trail or log of transactions as it executes the process. 
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QptionaUy the airport computer also provides an enoypted venrion of an indemnity or 
some other "hostage data" m order to compensate the individual for misuse or viohition 
of his data. Hie hostage data can be decrypted preferably in cooperation with a third 
party, who releases or enables release of the hostage data when conditions justify such 
S release, such as when private data has bear misused. 

If tests using test data were sads&ctory, the PDA can then supply the airport computer 

with the unmasking data that aUows decryption of the real pasonal data. Theairport 

compute ten decrypts the red personal data and pemits the individual to man^ulate 

10 the decrypted file using flie some program that operated on the teat data. An audit trail 
is generated as before. 

At the end of die user's session (which might be complonentaiy or involve a &e) the 
airport con^)utCT uses the masking data to rendw the personal data confidential. Then 
15 the airport conqiuter copies the private data, appends the masked (encrypted) altered 
personal file, «aicrypts the resultant object with the public depository key within the 
private data, qjpeods the ID fiom the private data and publishes fiie data on its web site. 
This can also be done on an airport website or a third party site for recovaing such 
data. 

20 

When the owner of tfie data wishes to retrieve it, he visits the wA site, possibly making 
. sure that he captures sufficient published objects to prevent an observer fiom deducing 
his identity or interests. When the individual finds an object that matdws his D the 
bdividual attempts to decrypt the object. If the decryption succeeds and contains 
25 unmasked data that matches his own, then the individual recognises the published 
object as his owa He can then proceed to recover the masked altered data file and to 
use flie original mask or security control to replace the original file widi flie altered file. 

The present invention can finther be utilised in order to facilitate the ddivoy of 
30 physical goods. Carriers waste a lot of time when they attenqjt to deliver goods to a 
household but find that there is no one there to accept delivery. The carrier cannot 
easily avoid this, as fliey cannot discover in advance whether and when someone will be 
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pnsent in the household because householdos are reluctant to disclose such 
infonnation. The main reasons for their reluctance is that householdeis cannot be sure 
that the enquiiy is legitimate, and even if it is, thty cannot be sure that the infimnation 

will not leak to an undesirable powm. In short, they fear that they will be burgled, or 
suSct a loss of privacy. 

Currently, delivery companies try to overcome this problem by leaving the package 
with a ndgfabour or leaving a card to indicate that a deHvery was attempted and that a 
given person should be contacted to amngc a npeatdeHvery. This is an inconvenient 
and uneconomic process for the deUvery company, and incanvenient and irritating for 
the customers. 



In order to overcome this, a household may have a system arranged to automatically 
detect the presoice of people wiflun the house or to maintain a diary that indicates die 
current and expected presence of persons at that address. The diaiy can also indicate 
whether a delivery would be accepted. Such information may be treated as much as 
private data as the name and address of the household. Private data, mduding die 
location information, may be held on the household's computer operatmg in accordance 
with the present invention, and propagated to a delivery company's c(mq)uter operating 
in accordance with the present invention. NatutaUy, the household should verify that the 

carrier is known to the househoW. and is known to be tnatwottly, before propa^ 
the private information to the delivery conq)any's computer. 

The carrier maintains a database ofgoods to be delivered. TTie database is held within a 
trusted computing platform having audit privacy. In use, the carrier enters the address 
of the intended delivery into the database. The carrier supplies an executable program 
that operates on the household data to reveal when the householder is in. but not when 
the householder is out The platform verifies that this type of program is permitted to 
use the private data supplied by the household. TTie carrier can observe neither the 
private data nor the results of the enquiry, and hence neither the computer administrator 
nor a computer user can deduce the times that a house is unoccupied. The cairier's 
database then attempts to match the expected presence of someone in the household 
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^th a ddiveiy schedule, and to schedule dehvcries as TT.e earner's 

database may notify the household that a deHveiy is scheduled. 

ITie camel's peiBomiel camiot (lucry or inspect the database to find ft^ 
: 8»i»8» of the occupants of the household because the database is on a tnw^ 
computing platfiam that u«« TCPA technology (or equivalent) and tnuted 
conqwrtmait technology (or equivalent) to isohtte data Cinchding appUcations and 

results) fiom the administrator and user of the platform. TTnis the carrier's perwmnel 
are notified only of a delivery via the delivery sdiednle. 

Piefcrably the earner's database randomly selects delivery times fiom a selection of 
possible delivery times in order to decrease the probability that times that art not 

scheduled delivery times can be assumed to indicate the absence of a pen«m at ft^ 

deliveiy address. 

Advantageously the semler of the goods enters the address of the intended delivery into 
the carrier's database and receives an identificatioa value or token that does not imslude 
the dclivciy address. Tlie sender can then address the goods with the identification 
tokenraflu!rthantheconvenienUy(physical)deHveiyaddress. Preferably the delivery 
schedule is given to the driver in electronic form and a delivery address and 
identification are not revealed to the deliver mtfU the schedule indicates that those 
goods are the next to be delivered. It is thus possible to use the secure handlipg of 
infomutfion in accordance with the present invention to fi«:ilitate the operation of 
services that would otherwise invoWe a security risk. 
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CLAIMS 



1 . A method of canbolling the processing of data, whercm the data comprises a 
phrality of usage rules for a pIuraKty of data items, and applying individualised usage 

5 . rules to each of the data items based onameasurmem of integrity ofacomput^ 
entity to which the data items are to bemade avaihble. 

2. A method as claimed in claim 1, in which at least some of the usage rules 
comprise masking instructions for masking the associated data items. 

3. A method as claimed in claim 2, in which a data item is masked fiom a set of 
10 databyenayptingiL 



an 



4. A method as claimed in claim 3. in wUch a data item is encrypted with' 
associated encj/ption key. said m^ion key being difiFerent for different ones of the 
data items. 

5. A method as chimed in claim 1. in which the usage rules define security rules 
15 for tbe associated data item. 

6. A method as cbimed in any one of the preceding claims in which the data may 
be transferred between computing entities and the instantiation of the dati at each 
computing entity depends on the capabilities of that entity. 

7. A method as claimed in claim 6, in which a computing entity is a computing 

20 platfomi. 

8. A method as claimed in claim 6. in which the computing entity is a software 

process. 

9. Amethodasclaimedinanyoneofthcprecedingclaimsinwhichaconq,uting 
entity can reliably and irrevocably deny future access to selected data items. 

25 10. Araethodasclaimedinclaim9,inwhichmeansforaccessingthedataisstored 

wifliin a protected memoiy. 



11. A mcftod as claimed in claim 10, in which the protected memory is within a 
trusted computing module. 

12. A method as claimed in any one of the preceding claims, in which computing 
mtities n^tiatc with one another concerning the use of the data before the data is 
made available. 

13. A method as claimed in any one of the preceding claims in which fte data has 
constraints defining conditions for use of the data. 

14. A method as claimed in claim 13, in which the constraints define at least one 
item selected fix>m: 

a. the purpose for which the data can be used 

b. the geographical area in which the data may be Tnartifaitf^ 

c. the temporal domain m which the data may be manifested 

d. the computing platforms that manipulate the data. 

15. A method as claimed in any one of the precedmg claims in which the data 
fimher includes test data. 

16. A method as claimed in claim 15, in which the structure of test data is 
comparable to the structure of real data contained by die data items. 

1 7. A method as claimed in claim 16, in which the results of operations performed 
on the test data are examined in order to make a decision on whether to release the real 
data to a node that operated on the test data. 

18. A mcfliod as claimed in any one of the preceding claims, in which a node 
requesting access to the data supplies hostage material to the node issumg the data prior 
to the issuance of the data. 

19. A mettiod as claimed in claim 18, in which a third party hostage release 
authority is contacted to activate the hostage material. 



20. A method as claimed many one of the precedii^cLiiiM 

itself in possession of data whose histoiy or content do not meet predctennined 
requirements, fonnats the data and places it in a rq)08itoiy. 

21 . A method as claimed in claim 20, in which the data placed in the reporitoty is in 
5 an encrypted form. 

22. A method as churned in claim 21, in which the data is enaypted using a pubUc 
key inchided in tiie data. 

23. Amethoda5chiimedmchrim21or22.inwhichthedat8inlherepositoiyi8 
associated with an identification means to enable the owner of the data to identify it 

10 24. A method as clahned in any one of the preceding claims, m which a node 
wishing to present the data for retrieval phces the data in a rcpositoiy. 

25. A method as claimed in ckim 24. in which the data is phced in the itpositoiy in 
encrypted fonn. 

26. A method as claimed in claim 25. in which the data is encrypted using a pubhc 
15 key included in the data. 

27. A method as claimed in claim 26. in which the data in the repository U 
associated with identification means to enable the owner of the data to identify it 

28. A method as claimed in claim l.m which constraints associated with the data 
detemiine whether the data will process on anything other than a tmsted computing 

20 platform. 

29. A method as chimed in claim 28, in which constraints associated with the data 
detemiine whether the data and/or results from processing the data are inhibited from 
viewing by a computing platform ownw or administrator. 

30. A method as claimed in any one of the preceding claims in which the secuiify 
25 contracts are Stored separately fiBm the data. 
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31. A method as claimed in any one of the preceding claims in which ™jeV or 
deajrpticn keys are stored separately fimn the 

32. A method as claimed b any one of the preceding claims m whidi a con?)uting 
entity that receives data signs the data with a fligoaturt key belonging to thaf entity. 

5 33. A method of ccmtrolling the processing of data, ^R^ier^ 

plurality of rules associated with a phnahty of data itons, said rules acting to define ±t 
use of file data or security to be observed when processing the data, and in which 
forwanhng of flie data is performed in accordance with mask means provided in 
asscKiation with ttie rules. 

10 34. A method as claimed in claim 33, in ^ch the mask comprises at least one of a 
symmetric encayption string, symmetric encryption key, and an asymmetric encryption 
key. 

35. A method as claimed in claim 33, in which the rales associated with the data 
items are adhered to m preference to data handling rules associated with a computing 

15 entity processing the data. 

36. A method as claimed in claim 33, in which at least some of the rules conqjrise 
masking instructions for masking the associated data items. 

37. A method as claimed in claim 36, in which a data item is masked fiom a set of 
data by encrypting it 

20 38. A method as claimed in claim 37, m which a data item is encrypted wife an 
associated encryption key, said encryption key being different for different ones of the 
data items. 

39. A method as claimed in any one of claims 33 to 38 in which the data may be 
transferred between computing entities and the instantiation of the data at each 

25 computing entity depends on the cqiabilities of the entity. 

40. A method as claimed in claim 33, in which the rules define at least one item 
selected fi:om: 
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a. the purpose fiyr which the data can be used 

b. the geographical area in which the data may be manifested 
c the temporal demain in which the data may be manifested 
d. the computing platfbnns that may manipulate the data. 

41. A method as claimed in any one of claims 33 to 40 in which the data further 
includes test data, the test data is comparable to the structure of real data contained by 
the data items, and in which the results of operations performed on the test data ate 
examined in ordw to make a decisicm on whether to release the real data to m)dc that 
operated on t he test data. 

42- A method as claimed in claim 33» in ^ch a con5)tttii^ entity finding itself in 
possession of data whose history or content do not meet predetermined requirements, or 
wishing to make data available because it has performed some processing in at least 
partially masked form, formats the data places it in a repository. 

43. A computer program for instructing a programmable computer to implement the 
method of any one of claims 1 to 42. 

44. A piocessmg syston for processing private data, wherein the private data 
comprises a plurality of data fields wA each field is associated with customisation data 
that controls die use and propagation of the data, and wherein the processing system is 
subservient to the constraints deferred by the customisation data. 

45. A computing device arranged to receive data and security rules associated with 
the data, and in which forwarding of the data is performed in accordance with the 
security rules, including aicryption keys, supplied with the security rules instead of 
with keys belonging to the security device. 
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